allow-update in global options (was Re: bind and certbot with dns-challenge)

Evan Hunt each at
Wed Apr 3 23:08:22 UTC 2019

On Tue, Apr 02, 2019 at 06:28:02PM +0200, Alan Clegg wrote:
> The answer to your question is:  "someone at ISC".

Oh, I'm willing to take the public blame here, Alan. It's not like the
commits don't have my name on them.

The code the processes allow-update was written in an oddly circuitious
fashion, and this combined with a badly misleading C comment led me to
believe that allow-update and update-policy had the same rules about
where they could be set - and, update-policy can only be set in zone
statements. (This is personally embarrassing, but if you read the relevant
code and comments in configure_view() you might see how easy it is to be

I actually do still think that *ought* to be the rule for allow-update,
but it wasn't, so when I cleaned things up I cleaned them up wrong, mea

Evan Hunt -- each at
Internet Systems Consortium, Inc.

More information about the bind-users mailing list